[Date Prev] [Date Index] [Date Next] [Thread Prev] [Thread Index] [Thread Next]
bryan bryan@conserver.com
Tue, 15 Oct 2002 09:03:05 -0700 (PDT)
if you have any opinion, please respond to me directly, instead of the list, so i can count opinions. basically, i'm looking at the client-server protocol and wondering if it's really a good idea for folks to be able to do a 'console -i', 'console -w', etc, without providing a username and password (if passwords are required via the conserver.passwd file). currently, anyone can connect to a conserver process, retrieve information, and then possibly use it against you. this seems like a bad idea to me, and i was thinking conserver should not give out *any* information without first going through the user verification process (if required by the config files). what do folks think? is anyone out there using the fact that you can poll for information without first authenticating? i could see automated scripts breaking, or perhaps other cases where it won't work. the biggest issue i see is that access is restricted to certain consoles. i figured that if you could authenticate to *any* console, you could poll for information (in the new model). thoughts? Bryan